Cloud computing is an increasingly popular paradigm in which computing resources, such as software, hardware, and data storage, are provided as services to remote computers via one or more networks. These resources can be shared among multiple entities and can be accessed on demand by each entity. In a typical commercial arrangement, the physical infrastructure (e.g., servers, storage systems, communication infrastructure, etc.) supporting the resources is owned and/or operated by a cloud computing provider, which delivers the resources as services to a customer over the Internet according to some agreed upon level of service and method of billing. This paradigm is attractive to many enterprises because it provides ready access to computation and storage capacities with low upfront capital expenditure. Even for larger enterprises with flexible capital budgets, cloud computing can be a cost effective option for meeting demand spikes.
As an enterprise migrates more of its data and/or applications “to a cloud” (e.g., to be hosted on a cloud computing provider's servers reachable via the Internet), new security challenges arise. For instance, the enterprise may wish to limit access to the resources hosted on cloud servers to authorized users only, preferably according to the same access control policies implemented within the enterprise's own managed network.
FIG. 1 shows a conventional solution for controlling access to resources hosted in a cloud. In this example, multiple applications (e.g., 110A, 110B, . . . ) and data stores (e.g., 115A, 115B, . . . ) are hosted on one or more servers at a cloud facility 105. One or more of these applications and data stores may be hosted on behalf of an enterprise that is a customer of the cloud facility 105. The enterprise also operates its own internal network 155 having one or more servers (e.g., 180A, 180B, . . . ) providing services that may be the same as, or different from, the services hosted in the cloud. Although not shown, the enterprise network 155 may include other network devices such as client computers and storage devices.
When an employee of the enterprise (e.g., the user 195) wishes to access an enterprise resource (e.g., checking his email, running a business application, retrieving a document from a corporate database, etc.), he may be prompted to undergo an authentication procedure using his computer (e.g., the client computer 190) to prove that he is who he purports to be. The authentication procedure may be more or less stringent depending on the enterprise's security requirements. For example, if the user is attempting to access a service provided by a server within the enterprise network 155 (e.g., one of the servers 180A, 180B, . . . ) from a connection point outside the enterprise network 155, he may be prompted to identify himself (e.g., by providing his username) to an enterprise authentication server 160 and provide one or more user credentials (e.g., a password) that can be used by the authentication server 160 to verify his identity. The authentication server may further determine whether the user is authorized to access the requested service, for example, according to one or more enterprise access policies and the user's role within the enterprise's organizational hierarchy.
Additionally, if the user 195 wishes to connect to the enterprise network 155 using the client computer 190, he may be prompted to undergo an endpoint compliance inspection procedure. For example, the user may be prompted to provide a statement of health regarding the client computer 190 to a health policy server (not shown). Based on the statement of health, the health policy server may verify whether one or more protective components are installed on the client computer 190 and, if so, whether they are properly configured and operational. For example, the health policy server may check whether one or more patches have been installed to remedy a vulnerability in an operating system component. As another example, the health policy server may check whether a protective software tool, such as a personal firewall or an anti-virus program, has been installed and configured with appropriate operating parameters.
If the user is attempting to access a service hosted in the cloud, he may be prompted to undergo an authentication procedure with a cloud authentication server 120, which may duplicate some or all of the access control functionalities of the enterprise authentication server 160. For instance, the cloud authentication server 120 may duplicate the enterprise's identity management and access policy infrastructure, so that it can make decisions in the same manner as the enterprise authentication server 160.